But as I've talked about many times in the past, security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers. Fact is, most individuals who are not full-time security professionals often make mistakes when trying to decide whether something is legitimate -- witness the ongoing success of phishing and 419 scams. And organizations, unless they run highly locked-down environments, often can't know everything their users are doing.

As I said in the previous post, anti-malware is not useless. It is a necessary element in your suite of defensive technologies to help keep the bad guys at bay. In my post I'm simply explaining a personal tradeoff I've made on my own machines at home--that by not running as admin (which I didn't mention before), by using UAC, by relying on the firewall, and by training my family--I have made the decision not to use anti-malware.

So should you make the same tradeoff? Well, that depends. If you're asking me about your own use of your own personal computers at home, I can't answer that for you, you need to. Remember what I wrote: "I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run." Do you have similar self-control? :)

If you're the security administrator for an organization, you should not make this tradeoff. Again, remember what I wrote about my own self-control; I doubt that anyone could make such a statement for everyone in their organization! Antimalware definitely belongs on machines where users can store or transfer files:

client computers

email servers

file servers

SharePoint servers

The purpose of my earlier post was to spark a little discussion, to see what other opinions there might be. Some folks are doing the same thing I am, others always run anti-malware on every computer. Neither stance can be declared "right" or "wrong." It's simply a reflection that we all make tradeoffs, every day, when we decide how to manage and use our computers. And as I suspected, different folks make different tradeoffs, based on their own risk tolerance and experience. These are always good conversations to have.

Wow! That's a pretty daunting list. Let me explain a bit more what I mean by "where users store or transfer files."

Specifically, I mean that I view AV unnecessary on: domain controllers, RADIUS/DNS/DHCP servers, print servers, SQL Servers, SMS/MOM/WSUS/System Center servers, web servers -- and anything else not in my specific list of included servers. Users do not (typically!) have the ability to store files in these locations. Installing AV on these servers significantly increases your complexity and adds to your management burden, while providing you with no security benefit.

If you think about where users can store or transfer files, then it makes perfect sense to limit server AV to my short list: email/Exchange servers and file/SharePoint servers. And one of the many cool things about Forefront Server Security is that it already knows which parts of those servers to scan and not to scan. So there's less configuration and maintenance work on the security administrator's part.

stuart

26 Sep 2007 3:24 PM

The only reason I have AV software installed on my computer is that there are several networks I connect to that require it. But I always have all the unnecessary features turned off, and leave the file monitor deactivated - unless I'm about to connect to a network that requires up to date AV software.

I would never recommend this to anyone of my friends or family though!

Tony Bradley, Microsoft MVP

27 Sep 2007 8:21 AM

I couldn't agree more. Your original post actually sparked me to write a post on my own blog- referencing yours- where I discussed some of the issues with antimalware and why it may be unnecessary for some. But, as you do here, I stressed that this is not the case for the vast majority of home PC users or corporate network users.

My experience with antivirus software is that it's generally intrusive and crappy. I feel that having it exposes me to more security issues than doing without.

Furthermore, the very fact that antivirus software is necessary for less experienced users demonstrates a failure of OS vendors to deliver operating systems that don't easily become insecure. The very need for antivirus software is a shame.

Donna Manley

11 Oct 2007 5:55 AM

Ok, I have a question in regards to the Microsoft Firewall and Norton. I have the Microsoft Firewall on and a Corporate Edition of Norton. But ever since I turned on the Microsoft Firewall I get a message that says "Norton Internet Worm Protection is turned off".

Donna, unfortunately I can't help you with the Norton problem--I've never used any of those products. Have you contacted Symantec? That's about the only thing I can think of. Have you tried entering that error message in your favorite search engine? Maybe you'll find something that way.

Michael

1 Nov 2007 9:45 AM

Now it just sounds like elitist garbage.

I don't run av, but it's not because I think I know what not to click but most other people don't.

Michael, I suppose if you think my position is "elitist," that's your opinion. However, you're making an overstatement.

Anti-malware is just one of many many choices we all have when it comes to securing our systems. But before making any choices, we must first understand the risks each of us faces and also have a feel for our individual "risk tolerances."

For example, I have long been recommending that folks not use account lockout, because it creates more risks than it alleviates, and you can satisfy the supposed threat by using long passphrases. Is it also "elitist garbage" not to use account lockout as well? Just because a security feature exists, does it have to be enabled or used?

Nowhere have I said that avoiding anti-malware is something for everyone. I said that I don't use it on my own computers because I am addressing the malware threats in other ways. This is always an option, of course: for every threat, there are multiple mitigations.

ABIDEMI ADEWUMI/ JOE

13 Nov 2007 11:29 AM

STEVE, you a strong military as i can say becuase of your strong defence against the attacker of data, i give to you big salute, but for my own veiw by using the anti- virus programe is very important to protect our data against the attackers, because not all people have the kind of experience you had, by not using anti-virus software, but for my own veiw, for not professional users of computer its strongly advise to be using anti-virus programe. Thanks so much Steve boy.

Joe-- As I have repeatedly said, my own decision not to use anti-malware on my computers is not a recommendation that I'm making for everyone. Because many people have asked me, I decided to write about my own decision, for my own machines. There's absolutely nothing wrong with continuting to use anti-malware software if you want to. Just like I believe it's wrong to state that anti-malware should never be used by anyone, it's also wrong to state that anti-malware should always be used everywhere by everyone. Security decisions must descend from individual risk analyses, never from reading someone else's list of "best practices."